[jira] [Commented] (OFBIZ-6721) org.ofbiz.common.login.LoginServices.userLogin causes stack track when username or password is incorrect
[ https://issues.apache.org/jira/browse/OFBIZ-6721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005640#comment-15005640 ] Jacques Le Roux commented on OFBIZ-6721: That would be appreciated I think! > org.ofbiz.common.login.LoginServices.userLogin causes stack track when > username or password is incorrect > > > Key: OFBIZ-6721 > URL: https://issues.apache.org/jira/browse/OFBIZ-6721 > Project: OFBiz > Issue Type: Improvement > Components: commonext/setup >Affects Versions: Release Branch 11.04, Release Branch 12.04, Release > Branch 13.07, Release Branch 14.12, Trunk >Reporter: Forrest Rae >Assignee: Jacques Le Roux >Priority: Trivial > Labels: log, test-failure > Fix For: 14.12.01, 12.04.06, 13.07.03, Upcoming Branch > > Attachments: OFBIZ-6721.patch > > > org.ofbiz.common.login.LoginServices.userLogin is returning ERROR when a > username or password is incorrect. It should return FAILURE instead of > error. The error causes stack track to be printed to the log. The stack > trace makes watching the log for actual errors difficult. This is especially > hard when running and analyzing the log after a full test run, of in my case, > a custom set of test cases. > Stack trace: > [java] 2015-11-12 16:35:00,412 |ajp-bio-8009-exec-7 |LoginWorker > |I| Setting default delegator > [java] 2015-11-12 16:35:00,413 |ajp-bio-8009-exec-7 |LoginServices > |I| [LoginServices.userLogin] : Password Incorrect > [java] 2015-11-12 16:35:00,420 |ajp-bio-8009-exec-7 |ServiceDispatcher > |E| Error in Service [userLogin]: Password incorrect. > [java] 2015-11-12 16:35:00,420 |ajp-bio-8009-exec-7 |TransactionUtil > |E| [TransactionUtil.rollback] > [java] java.lang.Exception: Stack Trace > [java]at > org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:322) > [ofbiz-entity.jar:?] > [java]at > org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:299) > [ofbiz-entity.jar:?] > [java]at > org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:534) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:227) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:488) > [ofbiz-webapp.jar:?] > [java]at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_60] > [java]at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_60] > [java]at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_60] > [java]at java.lang.reflect.Method.invoke(Method.java:497) > ~[?:1.8.0_60] > [java]at > org.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:92) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:78) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:759) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:476) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:213) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:88) > [ofbiz-webapp.jar:?] > [java]at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) > [servlet-api-3.0.jar:?] > [java]at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > [servlet-api-3.0.jar:?] > [java]at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:323) > [ofbiz-webapp.jar:?] > [java]at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.apache.catalina.core.StandardWra
[jira] [Commented] (OFBIZ-6721) org.ofbiz.common.login.LoginServices.userLogin causes stack track when username or password is incorrect
[ https://issues.apache.org/jira/browse/OFBIZ-6721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005621#comment-15005621 ] Forrest Rae commented on OFBIZ-6721: Thanks Jacques, I'll take some time in the next month or so to improve the password checking code a bit in trunk, and put in support for PBKDF2 with rolling password hash upgrades for posix style password storage. > org.ofbiz.common.login.LoginServices.userLogin causes stack track when > username or password is incorrect > > > Key: OFBIZ-6721 > URL: https://issues.apache.org/jira/browse/OFBIZ-6721 > Project: OFBiz > Issue Type: Improvement > Components: commonext/setup >Affects Versions: Release Branch 11.04, Release Branch 12.04, Release > Branch 13.07, Release Branch 14.12, Trunk >Reporter: Forrest Rae >Assignee: Jacques Le Roux >Priority: Trivial > Labels: log, test-failure > Fix For: 14.12.01, 12.04.06, 13.07.03, Upcoming Branch > > Attachments: OFBIZ-6721.patch > > > org.ofbiz.common.login.LoginServices.userLogin is returning ERROR when a > username or password is incorrect. It should return FAILURE instead of > error. The error causes stack track to be printed to the log. The stack > trace makes watching the log for actual errors difficult. This is especially > hard when running and analyzing the log after a full test run, of in my case, > a custom set of test cases. > Stack trace: > [java] 2015-11-12 16:35:00,412 |ajp-bio-8009-exec-7 |LoginWorker > |I| Setting default delegator > [java] 2015-11-12 16:35:00,413 |ajp-bio-8009-exec-7 |LoginServices > |I| [LoginServices.userLogin] : Password Incorrect > [java] 2015-11-12 16:35:00,420 |ajp-bio-8009-exec-7 |ServiceDispatcher > |E| Error in Service [userLogin]: Password incorrect. > [java] 2015-11-12 16:35:00,420 |ajp-bio-8009-exec-7 |TransactionUtil > |E| [TransactionUtil.rollback] > [java] java.lang.Exception: Stack Trace > [java]at > org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:322) > [ofbiz-entity.jar:?] > [java]at > org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:299) > [ofbiz-entity.jar:?] > [java]at > org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:534) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:227) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:488) > [ofbiz-webapp.jar:?] > [java]at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_60] > [java]at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_60] > [java]at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_60] > [java]at java.lang.reflect.Method.invoke(Method.java:497) > ~[?:1.8.0_60] > [java]at > org.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:92) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:78) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:759) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:476) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:213) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:88) > [ofbiz-webapp.jar:?] > [java]at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) > [servlet-api-3.0.jar:?] > [java]at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > [servlet-api-3.0.jar:?] > [java]at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:323) > [ofbiz-webapp.jar:?] > [java]at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.apache.cat
[jira] [Commented] (OFBIZ-6721) org.ofbiz.common.login.LoginServices.userLogin causes stack track when username or password is incorrect
[ https://issues.apache.org/jira/browse/OFBIZ-6721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15004547#comment-15004547 ] Forrest Rae commented on OFBIZ-6721: I believe it is a bug. You have to consider how this is being used by people extending the framework. The difference between ERROR and FAILURE when it comes to authentication, especially when you need to rely on ignore-failure="false" ignore-error="false", is a blocker for me. I have a SECA on userLogin service, and I need to know if there was an ERROR, or there was a FAILURE. This prevents my ability to augment the authentication process. In my use case, I need to make sure OOTB authentication passes, and then I need to check the status of a series of relationships, and then I save some data to some custom entities. Here is my SECA: I considered building an external org.ofbiz.common.authentication.api.Authenticator, but the main issue is the external auth runs first, before the password check. This creates an opportunity to brute force usernames based on time inference, if the code has to do several operations before ever checking if the authentication details are correct, not to mention invalid data to custom entities. A SECA is more advantageous here. > org.ofbiz.common.login.LoginServices.userLogin causes stack track when > username or password is incorrect > > > Key: OFBIZ-6721 > URL: https://issues.apache.org/jira/browse/OFBIZ-6721 > Project: OFBiz > Issue Type: Improvement > Components: commonext/setup >Affects Versions: Release Branch 11.04, Release Branch 12.04, Release > Branch 13.07, Release Branch 14.12, Trunk >Reporter: Forrest Rae >Assignee: Jacques Le Roux >Priority: Trivial > Labels: log, test-failure > Fix For: Upcoming Branch > > Attachments: OFBIZ-6721.patch > > > org.ofbiz.common.login.LoginServices.userLogin is returning ERROR when a > username or password is incorrect. It should return FAILURE instead of > error. The error causes stack track to be printed to the log. The stack > trace makes watching the log for actual errors difficult. This is especially > hard when running and analyzing the log after a full test run, of in my case, > a custom set of test cases. > Stack trace: > [java] 2015-11-12 16:35:00,412 |ajp-bio-8009-exec-7 |LoginWorker > |I| Setting default delegator > [java] 2015-11-12 16:35:00,413 |ajp-bio-8009-exec-7 |LoginServices > |I| [LoginServices.userLogin] : Password Incorrect > [java] 2015-11-12 16:35:00,420 |ajp-bio-8009-exec-7 |ServiceDispatcher > |E| Error in Service [userLogin]: Password incorrect. > [java] 2015-11-12 16:35:00,420 |ajp-bio-8009-exec-7 |TransactionUtil > |E| [TransactionUtil.rollback] > [java] java.lang.Exception: Stack Trace > [java]at > org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:322) > [ofbiz-entity.jar:?] > [java]at > org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:299) > [ofbiz-entity.jar:?] > [java]at > org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:534) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:227) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:488) > [ofbiz-webapp.jar:?] > [java]at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_60] > [java]at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_60] > [java]at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_60] > [java]at java.lang.reflect.Method.invoke(Method.java:497) > ~[?:1.8.0_60] > [java]at > org.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:92) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:78) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:759) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:476) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:213) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:88)
[jira] [Commented] (OFBIZ-6721) org.ofbiz.common.login.LoginServices.userLogin causes stack track when username or password is incorrect
[ https://issues.apache.org/jira/browse/OFBIZ-6721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15004338#comment-15004338 ] Jacques Le Roux commented on OFBIZ-6721: Yes indeed, I see no reasons why we should rollback here > org.ofbiz.common.login.LoginServices.userLogin causes stack track when > username or password is incorrect > > > Key: OFBIZ-6721 > URL: https://issues.apache.org/jira/browse/OFBIZ-6721 > Project: OFBiz > Issue Type: Bug > Components: commonext/setup >Affects Versions: Release Branch 11.04, Release Branch 12.04, Release > Branch 13.07, Release Branch 14.12, Trunk >Reporter: Forrest Rae > Labels: log, test-failure > Attachments: OFBIZ-6721.patch > > > org.ofbiz.common.login.LoginServices.userLogin is returning ERROR when a > username or password is incorrect. It should return FAILURE instead of > error. The error causes stack track to be printed to the log. The stack > trace makes watching the log for actual errors difficult. This is especially > hard when running and analyzing the log after a full test run, of in my case, > a custom set of test cases. > Stack trace: > [java] 2015-11-12 16:35:00,412 |ajp-bio-8009-exec-7 |LoginWorker > |I| Setting default delegator > [java] 2015-11-12 16:35:00,413 |ajp-bio-8009-exec-7 |LoginServices > |I| [LoginServices.userLogin] : Password Incorrect > [java] 2015-11-12 16:35:00,420 |ajp-bio-8009-exec-7 |ServiceDispatcher > |E| Error in Service [userLogin]: Password incorrect. > [java] 2015-11-12 16:35:00,420 |ajp-bio-8009-exec-7 |TransactionUtil > |E| [TransactionUtil.rollback] > [java] java.lang.Exception: Stack Trace > [java]at > org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:322) > [ofbiz-entity.jar:?] > [java]at > org.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:299) > [ofbiz-entity.jar:?] > [java]at > org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:534) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:227) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88) > [ofbiz-service.jar:?] > [java]at > org.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:488) > [ofbiz-webapp.jar:?] > [java]at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_60] > [java]at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_60] > [java]at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ~[?:1.8.0_60] > [java]at java.lang.reflect.Method.invoke(Method.java:497) > ~[?:1.8.0_60] > [java]at > org.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:92) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.event.JavaEventHandler.invoke(JavaEventHandler.java:78) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:759) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:476) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:213) > [ofbiz-webapp.jar:?] > [java]at > org.ofbiz.webapp.control.ControlServlet.doPost(ControlServlet.java:88) > [ofbiz-webapp.jar:?] > [java]at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) > [servlet-api-3.0.jar:?] > [java]at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > [servlet-api-3.0.jar:?] > [java]at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:323) > [ofbiz-webapp.jar:?] > [java]at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > [tomcat-7.0.64-catalina.jar:7.0.64] > [java]at > org.apache.catalin
